This file lists the major changes made between Owl releases. While
some of the changes listed here may also be made to a stable branch,
the complete lists of stable branch changes are included with those
branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to
individual packages won't be mentioned here unless they fix a security
or a critical reliability problem. They are, however, mentioned in
change logs for the packages themselves.

Corrected a bug in the way salts for extended DES-based and for
MD5-based password hashes are generated with the crypt_gensalt*() family
of functions; thanks to Marko Kreen for discovering and reporting this.
The bug would result in a higher than expected number of matching salts
with large numbers of password hashes of the affected types generated on
an Owl system through a mechanism that uses the affected glibc functions
(such as pam_tcb). If the password hashes would ever be compromised
(e.g., by exploiting another vulnerability), it would be possible to
test candidate passwords against them at a faster effective rate because
of this bug. The Blowfish-based (bcrypt) hashes that Owl has always
been using by default and the traditional DES-based crypt(3) hashes were
not affected.

2005/12/30 Package: dialog

Updated to 1.0-20051219.

2005/12/27 Package: pam

Updated to 0.99.2.1. Moved pam_stack into a new pam-compat subpackage.

The handling of LM hashes has been enhanced to use case insensitive
comparisons of the encodings when eliminating duplicate and
already-cracked hashes at load time and when displaying cracked
passwords. The way nouns ending in "z" and "h" are pluralized with the
"p" wordlist rules command has been corrected. A workaround for OpenAFS
has been added to unafs. Any charset file changes will now be detected
when restoring sessions. The supplied charset files and password.lst
have been updated. A new pre-defined "incremental" mode "Alnum" (for
alphanumeric) has been added. A bug with the handling of break
statements with nested loops in the external mode compiler has been
fixed.

2005/12/13 Package: postfix

Updated to 2.2.7.

2005/12/11 Package: man-pages;
Owl/build/installorder.conf

Updated to 2.16, including the addition of POSIX man pages in their own
subpackage.

Backported upstream fix for a potential stack-based buffer overflow in
cpio. When cpio is used by a privileged user to archive files created
by a less privileged user, it is possible to overflow a buffer on the
stack with a very large sparse file. This issue only affects 64-bit
platforms.
Reference:
http://lists.gnu.org/archive/html/bug-cpio/2005-11/msg00004.html

Applied upstream fix for a potential buffer overflow in printpathn().
When "strace -p" is used by a privileged user to attach to a less
privileged process, the latter may overflow a static fixed-size buffer
with arbitrary data of arbitrary length.

2005/10/23 Package: zlib

Updated to 1.2.3.

2005/10/23 Package: coreutils

Updated to 5.92.

2005/10/23 Package: net-tools

Updated to 1.60.

2005/10/22 Package: m4

Updated to 1.4.4.

2005/10/21 Package: lilo

Updated to 22.7.1 with added patches both to LILO itself and to the
mkrescue(8) script.

2005/10/20 Package: kbd

Updated to 1.12.

2005/10/20 Packages: openntpd, owl-etc;
Owl/build/installorder.conf

New package: OpenNTPD is an NTP time synchronization server and client.

2005/10/20 Packages: setarch, sparc32;
Owl/build/installorder.conf

sparc32 has been replaced with setarch, which is not limited to the
SPARC architecture. setarch is an utility to set machine
sub-architecture type and Linux kernel personality flags for individual
program invocations.

2005/10/20 Package: silo

Updated to 1.4.9.

2005/10/20 Package: elfutils-libelf

Updated to 0.115.

2005/10/17 Package: rpm

Changed package upgrade algorithm to remove old files on "-U --force"
even if package versions match. When comparing package versions on -U
or -F, take build dates into account.

Applied upstream fix for potential SSL 2.0 rollback during SSL handshake.
Applications using either SSL_OP_MSIE_SSLV2_RSA_PADDING or SSL_OP_ALL
option miss a verification step in the SSL 2.0 server supposed to prevent
active protocol-version rollback attacks. With this verification step
disabled, an attacker acting as a "man in the middle" can force a client
and a server to negotiate the SSL 2.0 protocol even if these parties
both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have
severe cryptographic weaknesses and is supported as a fallback only.
References:
https://www.openssl.org/news/secadv_20051011.txthttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969

Applied fixes from CVS snapshot 20050525, imported a few patches from
ALT Linux.

2005/08/11 Package: postfix

Updated to 2.2.5.

2005/08/10 Package: strace

Updated to 4.5.13.

2005/08/08 Package: mtree

Updated to version from current OpenBSD (post-3.7). Fixed a number of
bugs in mtree spec file creation and parsing, including with processing
of filenames starting with the hash character ('#') or containing
glob(3) wildcard characters, of comment lines ending with a backslash
('\\'), and of files not ending with a linefeed.

2005/08/03 -
2005/08/08 Package: owl-setup; Owl/doc/INSTALL

The shell scripts based Owl setup utility has finally been replaced by
the new installer written in C++. There are two programs: "setup",
which may be used to (re-)configure the current system (whether
CD-booted or installed on a hard drive), and "settle", the Owl installer
to be run off an Owl CD to install Owl on a hard drive.

2005/07/28 Package: openssh

Added delayed compression support for SSH protocol 2 (a back-port of
the changes committed into the OpenBSD CVS repository recently),
enabled in sshd by default. With the new default setting, sshd will
only allow for compression to be enabled after authentication.
Unfortunately, this requires SSH client support as well, meaning that
old SSH protocol 2 clients will be unable to use compression with our
new sshd at its default setting. SSH protocol 1 has always insisted
on authentication prior to compression and thus is unaffected by this
change. The rationale for the change is to reduce the exposure of
potential vulnerabilities in the code associated with compression (in
OpenSSH itself and in zlib). Thanks to Markus Friedl for working on
this and for bringing it to our attention.

New package: elfutils-libelf provides a library for reading and writing
ELF files on a high level. Updated ltrace to 0.3.36 (making use of
libelf). This makes ltrace work for program binaries built with recent
versions of binutils.

Implemented a number of bitslice DES set_key*() optimizations
resulting in speedups for LM hashes, as well as for traditional
DES-based crypt(3) hashes when only a handful of hashes are loaded.

2005/04/10 Package: dhcp

dhcpd(8) and dhcrelay(8) will now drop privileges by default (rather
than only when the appropriate command line options are given).
Previously, they would fail to work when no privilege reduction was
requested (a bug).

The OpenBSD-derived strlcpy(3) and strlcat(3) functions are now
included in libc_nonshared.a such that they're available with dynamic
linking but are nevertheless linked in statically in order to make
sure that no programs become dependent on the presence of these
extensions in the shared library. The strlcpy(3) and strlcat(3) man
pages have been added.

2005/02/19 -
2005/02/21 Package: psmisc

Updated to 21.5.

2005/02/06 Package: perl
SECURITY FIX Severity: low, local, passive

Corrected File::Path::rmtree to never make directories and files
world-read/writable and updated its documentation to reflect the
remaining security and reliability problems. Thanks to Jeroen van
Wolffelaar for discovering this problem and reporting it to Debian.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452

"useradd" and related tools will now optionally allow user and group
names longer than 8 characters, even though these may not be fully
supported by the rest of Owl and by third-party software. This is
controlled with the added USERNAME_MAX and GROUPNAME_MAX settings in
/etc/login.defs, both of which are documented in login.defs(5).

2004/11/05 Package: modutils

Updated to 2.4.27.

2004/11/03 Owl/doc/REDHAT

New file: a list of known issues with using packages from or intended
for Red Hat Linux on Owl.

Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1. This corrects
the access control check which previously wrongly allowed any local
user to change the group ownership of arbitrary NFS-exported/imported
files and adds a workaround for the file offset pointer races
discovered by Paul Starzetz. The former is only exploitable when
files are NFS-exported from a server running a vulnerable version of
Linux 2.4.x, and the currently publicly known exploit for the latter
relies on code enabled with CONFIG_MTRR kernel build option which has
not been enabled in the default kernels on Owl CDs. However, as the
potential impact of both issues is a local root compromise, an upgrade
of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415https://isec.pl/en/vulnerabilities/isec-0016-procleaks.txt

Updated sed to 4.1.1 and other packages' build scripts to make use of
the new sed's ability of in-place editing ("sed -i").

2004/07/10 Package: gdb

Updated to 6.1.1.

2004/06/22 Package: dhcp

Added a bounds checking patch covering sprintf() calls with "%s"
format specifier and non-constant strings and forcing the use of
snprintf() and vsnprintf() in all places where that was previously
supported but not enabled. Thanks to Gregory Duchemin for discovering
that some of these actually resulted in a vulnerability in versions of
the DHCP suite newer than the one we're using in Owl.

Properly check the return value from pam_chauthtok(3) in chfn(1) and
chsh(1). Previously, if chfn and/or chsh commands would be enabled
for non-privileged users with control(8), it would have been possible
for a logged in user with an expired password to change their "Full
Name" and login shell without having to change the password. Thanks
to Steve Grubb and Martin Schulze for discovering this problem.

Added a fix to the CVS client to ensure that pathnames provided by a
CVS server point to within the working directory. Without this fix, a
malicious CVS server could cause the CVS client to attempt to create
files at arbitrary locations thus gaining control over the user
account. This problem has been brought to the attention of CVS
developers and distribution vendors by Sebastian Krahmer of SuSE.
Additionally, CVS server has been further restricted to disallow the
use of relative pathnames to view files outside of the CVS repository.
However, despite this last fix, it should not be assumed that CVS
server provides any security against a malicious client being able to
access arbitrary files available under the privileges granted to the
CVS server at the OS level.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405

Updated to 1.4.2.1. This release of Mutt is a security fix, but Owl
was not affected with its current glibc because of the lack of UTF-8
locales support.

2004/02/08 Package: SimplePAMApps

In login(1) and su(1), generate ut_id's consistently with libutempter
and OpenSSH (patch from Dmitry V. Levin of ALT Linux). This will make
"su -" replace existing utmp entries for the duration of the su session.

2004/02/08 Package: chkconfig

Updated to 1.3.9.

2004/01/20 -
2004/01/29 Packages: perl, vim

Updated Perl to 5.8.3.

2004/01/21 -
2004/01/28 Packages: links, elinks

Links has been replaced with ELinks 0.9.0 and further with 0.9.1.

2004/01/18 Package: owl-startup

Added /sbin/service script for Red Hat Linux compatibility. Set
net.ipv4.tcp_timestamps = 0 to prevent leaks of the exact system's
uptime. There's a detailed comment in /etc/sysctl.conf explaining
this option and possible drawbacks of having it set one way or the
other.

2004/01/17 Package: procps

In top, handle ticks going backwards gracefully. This may happen due
to kernel and hardware issues and previously resulted in top reporting
absurd idle processor time percentages under high load on SMP systems.

2004/01/14 Package: screen

Updated to 4.0.2.

2004/01/10 Package: john

Corrected a segfault with --stdin introduced with John 1.6.34.2.

2004/01/05 Package: sysklogd

The startup script will now accept command-line options for syslogd
and klogd specified in /etc/sysconfig/syslog.